서브메뉴
검색
New Theoretical Techniques for Analyzing and Mitigating Password Cracking Attacks.
New Theoretical Techniques for Analyzing and Mitigating Password Cracking Attacks.
상세정보
- 자료유형
- 학위논문
- Control Number
- 0017162750
- International Standard Book Number
- 9798342106252
- Dewey Decimal Classification Number
- 519.77
- Main Entry-Personal Name
- Liu, Peiyuan.
- Publication, Distribution, etc. (Imprint
- [S.l.] : Purdue University., 2024
- Publication, Distribution, etc. (Imprint
- Ann Arbor : ProQuest Dissertations & Theses, 2024
- Physical Description
- 255 p.
- General Note
- Source: Dissertations Abstracts International, Volume: 86-05, Section: B.
- General Note
- Advisor: Blocki, Jeremiah.
- Dissertation Note
- Thesis (Ph.D.)--Purdue University, 2024.
- Summary, Etc.
- 요약Brute force guessing attacks continue to pose a significant threat to user passwords. To protect user passwords against brute force attacks, many organizations impose restrictions aimed at forcing users to select stronger passwords. Organizations may also adopt stronger hashing functions in an effort to deter offline brute force guessing attacks. However, these defenses induce trade-offs between security, usability, and the resources an organization is willing to investigate to protect passwords. In order to make informed password policy decisions, it is crucial to understand the distribution over user passwords and how policy updates will impact this password distribution and/or the strategy of a brute force attacker.This first part of this thesis focuses on developing rigorous statistical tools to analyze user password distributions and the behavior of brute force password attackers. In particular, we first develop several rigorous statistical techniques to upper and lower bound the guessing curve of an optimal attacker who knows the user password distribution and can order guesses accordingly. We apply these techniques to analyze eight password datasets and two PIN datasets. Our empirical analysis demonstrates that our statistical techniques can be used to evaluate password composition policies, compare the strength of different password distributions, quantify the impact of applying PIN blocklists, and help tune hash cost parameters. A real world attacker may not have perfect knowledge of the password distribution. Prior work introduced an efficient Monte Carlo technique to estimate the guessing number of a password under a particular password cracking model, i.e., the number of guesses an attacker would check before this particular password. This tool can also be used to generate password guessing curves, but there is no absolute guarantee that the guessing number and the resulting guessing curves are accurate. Thus, we propose a tool called Confident Monte Carlo that uses rigorous statistical techniques to upper and lower bound the guessing number of a particular password as well as the attacker's entire guessing curve. Our empirical analysis also demonstrate that this tool can be used to help inform password policy decisions, e.g., identifying and warning users with weaker passwords, or tuning hash cost parameters.The second part of this thesis focuses on developing stronger password hashing algorithms to protect user passwords against offline brute force attacks. In particular, we establish that the memory hard function Scrypt, which has been widely deployed as password hash function, is maximally bandwidth hard. We also present new techniques to construct and analyze depth robust graph with improved concrete parameters. Depth robust graph play an essential rule in the design and analysis of memory hard functions.
- Subject Added Entry-Topical Term
- Integer programming.
- Subject Added Entry-Topical Term
- Confidence.
- Subject Added Entry-Topical Term
- Graphs.
- Subject Added Entry-Topical Term
- Passwords.
- Subject Added Entry-Topical Term
- Cybersecurity.
- Subject Added Entry-Topical Term
- Computer science.
- Added Entry-Corporate Name
- Purdue University.
- Host Item Entry
- Dissertations Abstracts International. 86-05B.
- Electronic Location and Access
- 로그인을 한후 보실 수 있는 자료입니다.
- Control Number
- joongbu:658650
MARC
008250224s2024 us ||||||||||||||c||eng d■001000017162750
■00520250211152050
■006m o d
■007cr#unu||||||||
■020 ▼a9798342106252
■035 ▼a(MiAaPQ)AAI31345323
■035 ▼a(MiAaPQ)Purdue25678026
■040 ▼aMiAaPQ▼cMiAaPQ
■0820 ▼a519.77
■1001 ▼aLiu, Peiyuan.
■24510▼aNew Theoretical Techniques for Analyzing and Mitigating Password Cracking Attacks.
■260 ▼a[S.l.]▼bPurdue University. ▼c2024
■260 1▼aAnn Arbor▼bProQuest Dissertations & Theses▼c2024
■300 ▼a255 p.
■500 ▼aSource: Dissertations Abstracts International, Volume: 86-05, Section: B.
■500 ▼aAdvisor: Blocki, Jeremiah.
■5021 ▼aThesis (Ph.D.)--Purdue University, 2024.
■520 ▼aBrute force guessing attacks continue to pose a significant threat to user passwords. To protect user passwords against brute force attacks, many organizations impose restrictions aimed at forcing users to select stronger passwords. Organizations may also adopt stronger hashing functions in an effort to deter offline brute force guessing attacks. However, these defenses induce trade-offs between security, usability, and the resources an organization is willing to investigate to protect passwords. In order to make informed password policy decisions, it is crucial to understand the distribution over user passwords and how policy updates will impact this password distribution and/or the strategy of a brute force attacker.This first part of this thesis focuses on developing rigorous statistical tools to analyze user password distributions and the behavior of brute force password attackers. In particular, we first develop several rigorous statistical techniques to upper and lower bound the guessing curve of an optimal attacker who knows the user password distribution and can order guesses accordingly. We apply these techniques to analyze eight password datasets and two PIN datasets. Our empirical analysis demonstrates that our statistical techniques can be used to evaluate password composition policies, compare the strength of different password distributions, quantify the impact of applying PIN blocklists, and help tune hash cost parameters. A real world attacker may not have perfect knowledge of the password distribution. Prior work introduced an efficient Monte Carlo technique to estimate the guessing number of a password under a particular password cracking model, i.e., the number of guesses an attacker would check before this particular password. This tool can also be used to generate password guessing curves, but there is no absolute guarantee that the guessing number and the resulting guessing curves are accurate. Thus, we propose a tool called Confident Monte Carlo that uses rigorous statistical techniques to upper and lower bound the guessing number of a particular password as well as the attacker's entire guessing curve. Our empirical analysis also demonstrate that this tool can be used to help inform password policy decisions, e.g., identifying and warning users with weaker passwords, or tuning hash cost parameters.The second part of this thesis focuses on developing stronger password hashing algorithms to protect user passwords against offline brute force attacks. In particular, we establish that the memory hard function Scrypt, which has been widely deployed as password hash function, is maximally bandwidth hard. We also present new techniques to construct and analyze depth robust graph with improved concrete parameters. Depth robust graph play an essential rule in the design and analysis of memory hard functions.
■590 ▼aSchool code: 0183.
■650 4▼aInteger programming.
■650 4▼aConfidence.
■650 4▼aGraphs.
■650 4▼aPasswords.
■650 4▼aCybersecurity.
■650 4▼aComputer science.
■690 ▼a0984
■71020▼aPurdue University.
■7730 ▼tDissertations Abstracts International▼g86-05B.
■790 ▼a0183
■791 ▼aPh.D.
■792 ▼a2024
■793 ▼aEnglish
■85640▼uhttp://www.riss.kr/pdu/ddodLink.do?id=T17162750▼nKERIS▼z이 자료의 원문은 한국교육학술정보원에서 제공합니다.
